Skip to main content
Version: 4.5.x LTS

Release notes

Important Information for nevisAdmin 3 Users

nevisAdmin 4 is the completely overhauled configuration and deployment solution for the NEVIS Identity Suite.

nevisAdmin 3 configurations cannot be automatically migrated to nevisAdmin 4. Contact your integration partner, if you need assistance to migrate from nevisAdmin 3 to nevisAdmin 4.

If you are looking for updates to nevisAdmin 3, check the nevisAdmin 3 documentation.

nevisAdmin 4.5.19 LTS Release Notes - 2023-05-17

Release information

  • RPM: nevisadmin4-4.5.19.1-1.noarch.rpm
  • GUI Version: FE 4.5.17-865 - BE 4.5.19.1

Upgrade instructions and breaking changes

See Software Upgrade for general upgrade instructions.

Dependency upgrades

  • jackson 2.14.2 (NEVISADMV4-8968)
  • jetty-rewrite 9.4.50.v20221201 (NEVISADMV4-8968)
  • springdoc-openapi-ui 1.6.14 (NEVISADMV4-8968)
  • groovy 3.0.15 (NEVISADMV4-8968)
  • aspectjweaver 1.9.19 (NEVISADMV4-8968)
  • jaxb-runtime 2.3.8 (NEVISADMV4-8968)
  • slf4j-api 2.0.6 (NEVISADMV4-8968)
  • spring-boot 2.7.11 (NEVISADMV4-9137)
  • mariadb-java-client 2.7.8 (NEVISADMV4-8968)
  • apache-el 10.1.5 (NEVISADMV4-8968)
  • swagger-codegen 2.4.30 (NEVISADMV4-8968)
  • nimbus-jose-jwt 9.31 (NEVISADMV4-8968)
  • micrometer 1.10.4 (NEVISADMV4-8968)
  • replaced bcprov-jdk15on:1.70 with bcprov-jdk18on:1.73 (NEVISADMV4-9129)
  • replaced bcpkix-jdk15on:1.70 with bcpkix-jdk18on:1.73 (NEVISADMV4-9129)

See Standard Patterns Release Notes, releases 4.5.17 to 4.5.19.

Standard Patterns 4.5.19 LTS 2019 Release Notes - 2023-05-17

Release information

Build Version: 4.5.19.4

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select LTS 2019 Release / 2023 May.

Enter the version in the Search field: 4.5.19.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.

General

The following changes affect multiple components:

  • PAT-248: Release patterns as a single ZIP file instead of separate JAR files.

Standard Patterns 4.5.18 LTS 2019 Release Notes - 2023-03-27

Release information

Build Version: 4.5.18.4

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select LTS 2019 Release / 2023 Feb.

Enter the version in the Search field: 4.5.18.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.

SAML / OAuth / OpenID Connect

  • ⚠️ PAT-274: Protection against XML Signature Wrapping (XSW) attacks. By default, the SAML IDP now signs the entire SAML Response.

    This is a breaking change. You have to adapt the configuration of your SAML service providers (SPs) to validate the signature of the Response. If this is not possible, you can opt out of this change by selecting Assertion in the Signed Element drop-down of the SAML SP Connector. If only the Assertion is signed, then your setup may be vulnerable to attacks.

    We recommend to check if your SP applies appropriate mitigations. If you are using a Nevis SP, then upgrade to the latest applicable version of nevisAuth to benefit from additional checks of the ServiceProviderState. Check the release notes of nevisAuth for details.

    To easily configure which signatures are validated on the SP side, we have added a drop-down Signature Validation to the SAML IDP Connector pattern. The default of this drop-down is both, which means that the signature of the Response and Assertion is checked. This in line with the change of the default on the IDP side. If you can not enable response signing on the IDP site, you can opt out of this change by setting the drop-down to Assertion.

Known limitations and issues

Automatic key management in Kubernetes deployment

In Kubernetes deployments, automatic keystores are scoped to a Kubernetes service.

To support side-by-side deployment, a post-fix is appended to Kubernetes service names.

As the service name is included in the certificate subject, it is required to generate new keystores when a service is renamed.

This can be problematic for keystores used to sign a token, because all truststores used to validate the token signature have to be updated as well.

This means that tokens signed by the previous signer are no longer accepted.

For instance, a previous signer may have used to sign a SecToken for the user, which is then stored in the session.

To avoid this problem, the following keystores are not scoped to the Kubernetes service, this applies even if side-by-side deployment is not being used:

  • The internal SecToken that nevisAuth issues for itself to access nevisIDM and nevisMeta APIs.
  • Application access tokens issued to the user to access applications protected by nevisProxy.

This works when no key management patterns are assigned, but it may fail when assigning an Automatic Key Store pattern. If you use Automatic Key Store patterns to sign tokens, make sure the pattern name ends with -signer.

Automatic key management renewal in classic VM deployment

When the folder /var/opt/keys/ is completely removed on target hosts in VM deployments, two deployments are required to recreate the key material.

This is an exceptional case which occurs only during disaster recovery or nevisAdmin 4 CA renewal.

HTTP error codes cause session loss

By default, the Virtual Host maps an ErrorFilter that handles HTTP error codes.

For security reasons, the filter is configured to remove response headers.

The behavior can lead to the loss of the nevisProxy session when an HTTP error occurs, while the session cookie is being renewed, for example, after successful authentication.

For status codes 404 and 502, the headers are not reset, which makes session loss less likely.

You can opt out by adding your own HTTP Error Handling pattern.

This pattern allows you to define which status codes are handled, and for which codes the headers are kept.

You can do this using the property Keep Header Status Codes.

Assign the HTTP Error Handling pattern to relevant locations, for example, the entire Virtual Host or in applications.

nevisAdmin 4.5.17 LTS Release Notes - 2023-02-15

Release information

  • RPM: nevisadmin4-4.5.17.1-1.noarch.rpm
  • GUI Version: FE 4.5.17-865 - BE 4.5.17.1

Upgrade instructions and breaking changes

See Software Upgrade for general upgrade instructions.

Notable changes and bug fixes

Dependency upgrades

  • Jackson 2.14.1 (NEVISADMV4-8690)
  • Springdoc-openapi-ui 1.6.13 (NEVISADMV4-8690)
  • Snakeyaml 1.33 (NEVISADMV4-8690)
  • Jaxb-runtime 2.3.7 (NEVISADMV4-8690)
  • Slf4j-api 2.0.4 (NEVISADMV4-8690)
  • Logback-classic 1.3.5 (NEVISADMV4-8690)
  • Commonmark 0.21.0 (NEVISADMV4-8690)
  • Spring-boot 2.7.6 (NEVISADMV4-8690)
  • Spring dependency-management-plugin 1.1.0 (NEVISADMV4-8690)
  • Mariadb-java-client 2.7.7 (NEVISADMV4-8690)
  • Apache-el 10.1.1 (NEVISADMV4-8690)
  • Swagger-codegen-cli 2.4.29 (NEVISADMV4-8690)
  • Shiro 1.11.0 (NEVISADMV4-8912)
  • Nimbus-jose-jwt 9.25.6 (NEVISADMV4-8690)
  • Micrometer 1.10.1 (NEVISADMV4-8690)
  • Build-info-extractor-gradle 4.29.3 (NEVISADMV4-8690)
  • Jinjava 2.6.0 (NEVISADMV4-8690)

See Standard Patterns Release Notes, releases 4.5.16 to 4.5.17.

Standard Patterns 4.5.17 LTS 2019 Release Notes - 2023-02-15

Release information

Build Version: 4.5.17.2

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select LTS 2019 Release / 2023 Feb.

Enter the version in the Search field: 4.5.17.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.

There are no notable changes in this pattern release. However, we release a new version so that you have a matching version in nevisAdmin 4.

  • ⚠️ REMOVED: The nevisadmin-plugin-mobile-auth patterns are not supported anymore.

Known limitations and issues

Automatic key management in Kubernetes deployment

In Kubernetes deployments, automatic keystores are scoped to a Kubernetes service.

To support side-by-side deployment, a post-fix is appended to Kubernetes service names.

As the service name is included in the certificate subject, it is required to generate new keystores when a service is renamed.

This can be problematic for keystores used to sign a token, because all truststores used to validate the token signature have to be updated as well.

This means that tokens signed by the previous signer are no longer accepted.

For instance, a previous signer may have used to sign a SecToken for the user, which is then stored in the session.

To avoid this problem, the following keystores are not scoped to the Kubernetes service, this applies even if side-by-side deployment is not being used:

  • The internal SecToken that nevisAuth issues for itself to access nevisIDM and nevisMeta APIs.
  • Application access tokens issued to the user to access applications protected by nevisProxy.

This works when no key management patterns are assigned, but it may fail when assigning an Automatic Key Store pattern. If you use Automatic Key Store patterns to sign tokens, make sure the pattern name ends with -signer.

Automatic key management renewal in classic VM deployment

When the folder /var/opt/keys/ is completely removed on target hosts in VM deployments, two deployments are required to recreate the key material.

This is an exceptional case which occurs only during disaster recovery or nevisAdmin 4 CA renewal.

HTTP error codes cause session loss

By default, the Virtual Host maps an ErrorFilter that handles HTTP error codes.

For security reasons, the filter is configured to remove response headers.

The behavior can lead to the loss of the nevisProxy session when an HTTP error occurs, while the session cookie is being renewed, for example, after successful authentication.

For status codes 404 and 502, the headers are not reset, which makes session loss less likely.

You can opt out by adding your own HTTP Error Handling pattern.

This pattern allows you to define which status codes are handled, and for which codes the headers are kept.

You can do this using the property Keep Header Status Codes.

Assign the HTTP Error Handling pattern to relevant locations, for example, the entire Virtual Host or in applications.

nevisAdmin 4.5.16 LTS Release Notes - 2022-11-16

Release information

  • RPM: nevisadmin4-4.5.16.1-1.noarch.rpm
  • GUI Version: FE 4.5.8-2 - BE 4.5.16.1

Upgrade instructions and breaking changes

See Software Upgrade for general upgrade instructions.

Notable changes and bug fixes

  • UPGRADED: We upgraded dependencies.

See Standard Patterns Release Notes, releases 4.5.15 to 4.5.16.

Standard Patterns 4.5.16 LTS 2019 Release Notes - 2022-11-16

Release information

Build Version: 4.5.16.3

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select LTS 2019 Release / 2022 Nov.

Enter the version in the Search field: 4.5.16.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.

Authentication

  • PAT-56: Removed unused mermaid.min.js.
  • NEVISADMV4-8515: Back-ported nevisAuth Instance / Start Timeout setting from rolling release.

Known limitations and issues

Automatic key management in Kubernetes deployment

In Kubernetes deployments, automatic keystores are scoped to a Kubernetes service.

To support side-by-side deployment, a post-fix is appended to Kubernetes service names.

As the service name is included in the certificate subject, it is required to generate new keystores when a service is renamed.

This can be problematic for keystores used to sign a token, because all truststores used to validate the token signature have to be updated as well.

This means that tokens signed by the previous signer are no longer accepted.

For instance, a previous signer may have used to sign a SecToken for the user, which is then stored in the session.

To avoid this problem, the following keystores are not scoped to the Kubernetes service, this applies even if side-by-side deployment is not being used:

  • The internal SecToken that nevisAuth issues for itself to access nevisIDM and nevisMeta APIs.
  • Application access tokens issued to the user to access applications protected by nevisProxy.

This works when no key management patterns are assigned, but it may fail when assigning an Automatic Key Store pattern. If you use Automatic Key Store patterns to sign tokens, make sure the pattern name ends with -signer.

Automatic key management renewal in classic VM deployment

When the folder /var/opt/keys/ is completely removed on target hosts in VM deployments, two deployments are required to recreate the key material.

This is an exceptional case which occurs only during disaster recovery or nevisAdmin 4 CA renewal.

HTTP error codes cause session loss

By default, the Virtual Host maps an ErrorFilter that handles HTTP error codes.

For security reasons, the filter is configured to remove response headers.

The behavior can lead to the loss of the nevisProxy session when an HTTP error occurs, while the session cookie is being renewed, for example, after successful authentication.

For status codes 404 and 502, the headers are not reset, which makes session loss less likely.

You can opt out by adding your own HTTP Error Handling pattern.

This pattern allows you to define which status codes are handled, and for which codes the headers are kept.

You can do this using the property Keep Header Status Codes.

Assign the HTTP Error Handling pattern to relevant locations, for example, the entire Virtual Host or in applications.

nevisAdmin 4.5.15 LTS Release Notes - 2022-08-17

Release information

  • nevisAppliance: 2.201911.788 LTS
  • RPM: nevisadmin4-4.5.15.1-1.noarch.rpm
  • GUI Version: FE 4.5.8-2 - BE 4.5.15.1

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

Changes

  • UPGRADED: Various dependencies have been upgraded.

See Standard Patterns Release Notes, releases 4.5.14 to 4.5.15.

Standard Patterns 4.5.15 LTS 2019 Release Notes - 2022-08-17

Release information

Build version: 4.5.15.3

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select LTS 2019 Release / 2022 Aug.

Enter the version in the Search field: 4.5.15.3

On how to use this library, see [Editing Project Pattern Libraries].

Changes

Changes marked with may be breaking, have security impact, or affect user experience.

Review them carefully and adapt your pattern configuration as required.

Authentication

  • NEVISLOG-409: We fixed generic JSON rendering by nevisLogrend.

Known limitations and issues

Automatic key management in Kubernetes deployment

In Kubernetes deployments, automatic keystores are scoped to a Kubernetes service.

To support side-by-side deployment, a post-fix is appended to the Kubernetes service names. As the service name is included in the certificate subject, it is required to generate new keystores for this service. This can be problematic for keystores used to sign a token, because all truststores used to validate the token signature would have to be updated as well. This means that tokens that were signed by the previous signer would no longer be accepted. For example, a previous signer may have been used to sign a SecToken for the user which is then stored in the session.

To avoid this problem, the following keystores are not scoped to the Kubernetes service, this applies even if side-by-side deployment is not being used:

  • The internal SecToken that nevisAuth issues for itself to access nevisIDM and nevisMeta APIs.
  • Application access tokens issued to the user to access applications that are protected by nevisProxy.

This works when no key management patterns are assigned, but it may fail when assigning an Automatic Key Store pattern.

If you use Automatic Key Store patterns to sign tokens, make sure the pattern name ends with -signer.

Automatic key management renewal in classic VM deployment

When the folder /var/opt/keys/ is completely removed on target hosts in VM deployments, two deployments are required to recreate the key material.

This is an exceptional case which occurs only during disaster recovery or nevisAdmin 4 CA renewal.

HTTP error codes cause session loss

By default, the Virtual Host maps an ErrorFilter that handles HTTP error codes. For security reasons, this filter is configured to remove response headers. This behavior can lead to the loss of the nevisProxy session when an HTTP error occurs, while the session cookie is being renewed (for example, after successful authentication). For status codes 404 and 502, the headers are not reset, which makes session loss less likely.

You can opt-out by adding your own HTTP Error Handling pattern. This pattern allows you to define which status codes are handled, and for which codes the headers are kept. You can do this using the property Keep Header Status Codes.

Standard Patterns 4.5.14 LTS 2019 Release Notes - 2022-05-18

Release information

Build version: 4.5.14.2

How to install and use the plugins

You can download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and selectLTS 2019 RELEASE / 2021 Nov.

Enter the version in the Search field: 4.5.14

On how to use this library, see Editing Project Pattern Libraries.

Changes

  • NEVISADMV4-8153: We removed ch.nevis.session.jdbc.connector.store.absTo from the env.conf of nevisAuth instances.

Known issues

Chrome hangs during logout

  • If you use older Frontend TLS Settings, Google Chrome may hang during logout.

LuaFilter removes Content-Length header

The nevisProxy LuaFilter removes theContent-Length header when applied on responses. If you are affected by this, contact support. A mitigation is applied for the SAML SP Realm pattern. However, applications protected by other Realm patterns are still affected when the Session Cookie Same Site Relaxation feature is enabled.

Standard Patterns 4.5.13 LTS 2019 Release Notes - 2022-02-16

Release information

Build version: 4.5.13.1

How to install and use the plugins

You can download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and selectLTS 2019 RELEASE / 2021 Nov.

Enter the version in the Search field: 4.5.13

On how to use this library, see Editing Project Pattern Libraries.

Changes

Application Protection

  • NEVISADMV4-7891: Fixed a typo in the VERSION-CONTROL HTTP method.

Identity Management

  • NEVISADMV4-7834: Ensure tmp folder inside nevisIDM instance is not deleted on deployment.

Known issues

Chrome hangs during logout

  • If you use older Frontend TLS Settings, Google Chrome may hang during logout.

LuaFilter removes Content-Length header

The nevisProxy LuaFilter removes theContent-Length header when applied on responses. If you are affected by this, contact support. A mitigation is applied for the SAML SP Realm pattern. However, applications protected by other Realm patterns are still affected when the Session Cookie Same Site Relaxation feature is enabled.

Standard Patterns 4.5.12 LTS 2019 Release Notes - 2021-11-17

Release information

Build version: 4.5.12.6

How to Install and Use the Plug-Ins

The plug-in JAR files can be downloaded from the Nevis Portal (`http://portal.nevis.net/).

Go to the Downloads section and select LTS 2019 RELEASE / 2021 Nov.

Enter the version in the Search field: 4.5.12.6

To use this library, see the chapter Editing Project Pattern Libraries of the nevisAdmin 4 technical documentation.

Changes

Changes marked with may be breaking and may require pattern configuration changes.

General Changes

  • Added a chmod to automatic key management scripts to fix a permission issue which occurs in certain versions of *openssl.

Authentication

  • FIXED: a bug in the generation of SectokenVerifierCert when using multiple realm patterns with different configuration for Internal SecToken Trust Store was fixed.

Identity Management

  • UPDATED: we updated the CSRF protection to be compatible with new nevisIDM release.

Known issues

Chrome hangs during logout

  • If you use older Frontend TLS Settings, Google Chrome may hang during logout.

LuaFilter removes Content-Length header

The nevisProxy LuaFilter removes theContent-Length header when applied on responses. If you are affected by this, contact support. A mitigation has been applied for the SAML SP Realm pattern. However, applications protected by other Realm patterns are still affected when the Session Cookie Same Site Relaxation feature is enabled.

nevisAdmin 4.5.11 LTS Release Notes - 2021-08-18

Release information

  • nevisAppliance: 2.201911.756 LTS
  • RPM: nevisadmin4-4.5.11.1-1.noarch.rpm
  • GUI Version: FE 4.5.8-2 - BE 4.5.11.1

Upgrade instructions and breaking changes

See Software Upgrade for general upgrade instructions.

Changes

  • No changes.

See Standard Patterns Release Notes.

Standard Patterns 4.5.11 LTS Release Notes - 2021-08-18

Release information

Build version: 4.5.11.1

How to install and use the plug-ins

The plug-in JAR files can be downloaded from:

  • Nevis Portal: Downloads
  • AdNovum Client Connect: Deliveries

Nevis Portal:

  • Enter the following in the Search field: 4.5.11.1

Client Connect:

  • Enter the following in the Quick Search field: nevisadmin-plugin4.5.11.1**

No results found?

If the search returns no results, you may not have the required permission to access the nevis-maven-cc repository. Contact Nevis support to grant you access. Refer to these release notes in your request.

To use this library, see the chapter Editing Project Pattern Libraries of the nevisAdmin 4 technical documentation.

Changes

  • The CSRF-protection script now correctly responds with HTTP 403 instead of HTTP 500 if the Origin or Referer headers of a request are malformed.

Known issues

Chrome hangs during logout

  • If you use older Frontend TLS Settings, Google Chrome may hang during logout.

LuaFilter removes Content-Length header

The nevisProxy LuaFilter removes theContent-Length header when applied on responses. If you are affected by this, contact support. A mitigation has been applied for the SAML SP Realm pattern. However, applications protected by other Realm patterns are still affected when the Session Cookie Same Site Relaxation feature is enabled.

nevisAdmin 4.5.10 LTS Release Notes - 2021-05-19

Release information

  • nevisAppliance: 2.201911.? LTS
  • RPM: nevisadmin4-4.5.10.3-1.noarch.rpm
  • GUI Version: FE 4.5.8-2- BE 4.5.10.3

Upgrade instructions and breaking changes

See Software Upgrade for general upgrade instructions.

Changes

  • FIXED: During force re-deployment, log folders of deployed instances were cleared. The bug is now fixed.

See Standard Patterns Release Notes.

Standard Patterns 4.5.10 LTS Release Notes - 2021-05-19

Release information

Build version: 4.5.10.6

How to install and use the plug-ins

The plugin JAR files can be downloaded from:

  • Nevis Portal: Downloads
  • AdNovum Client Connect: Deliveries

Nevis Portal:

  • Enter the following in the Search field: 4.5.10.6

Client Connect:

  • Enter the following in the Quick Search field: nevisadmin-plugin4.5.10.6**

No results found?

If the search returns no results, you may not have the required permission to access the nevis-maven-cc repository. Contact Nevis support to grant you access. Refer to these release notes in your request.

To use this library, see the chapter Editing Project Pattern Libraries of the nevisAdmin 4 technical documentation.

Changes

  • Configuration options for the SSL Cache were added to the nevisProxy Instance.

Known issues

Chrome hangs during logout

  • If you use older Frontend TLS Settings, Google Chrome may hang during logout.

LuaFilter removes Content-Length header

The nevisProxy LuaFilter removes theContent-Length header when applied on responses. If you are affected by this, contact support. A mitigation has been applied for the SAML SP Realm pattern. However, applications protected by other Realm patterns are still affected when the Session Cookie Same Site Relaxation feature is enabled.

nevisAdmin 4.5.9 LTS Release Notes - 2021-02-17

Release information

  • nevisAppliance: 2.201911.746 LTS
  • RPM: nevisadmin4-4.5.9.0-1.noarch.rpm
  • GUI Version: FE 4.5.8-2 - BE 4.5.9.0

Upgrade instructions and breaking changes

See Software Upgrade for general upgrade instructions.

Changes

  • No changes

See Standard Patterns Release Notes.

Standard Patterns 4.5.9 LTS Release Notes - 2021-02-17

Release information

Build version: 4.5.9.2

How to install and use the plug-ins

To start using this library, see "Editing Project Pattern Libraries".

Changes

Instance Patterns

  • Added a new setting, Initial Memory Ratio, to Instance patterns.

Key Management

  • Fixed invalid error message in PEM Trust Store pattern when a variable is used for Trusted Certificates: as file.
  • Prevent .p12 files generated by PEM Key Store / PEM Trust Store patterns from changing on each deployment.

nevisAuth / nevisLogrend

  • Fixed setting initialInactivityTimeout for the nevisAuth SessionCache.
  • Added a new setting Server Configuration in nevisAuth Instance.
  • The JWT Token pattern now generates out.time_to_live matching the Max Session Lifetime of the corresponding realm.
  • The Nevis SecToken now generates a separate TokenAssembler for each realm the pattern is assigned to.
  • Fixed value for DefaultTokenAssembler / TokenSpec ttl in esauth4.xml
    • This leads to an error when a stepup or logout request is sent to nevisAuth after the minimum time.

Known issues

Chrome hangs during logout

  • If you use older Frontend TLS Settings, Google Chrome may hang during logout.

LuaFilter removes Content-Length header

The nevisProxy LuaFilter removes theContent-Length header when applied on responses. If you are affected by this, contact support.

A mitigation has been applied for the SAML SP Realm pattern. However, applications protected by other Realm patterns are still affected when the Session Cookie Same Site Relaxation feature is enabled .

nevisAdmin 4.5.8 LTS Release Notes - 2020-11-18

Release information

  • nevisAppliance: 2.201911.740 LTS
  • RPM: nevisadmin4-4.5.8.1-1.noarch.rpm
  • GUI Version: FE 4.5.8-2 - BE 4.5.8.1

Upgrade instructions and breaking changes

See Software Upgrade for general upgrade instructions.

Configuration changes

  • To fix the incorrect data caused by the bug in the Import Inventory from Zip functionality, apply the following SQL script manually on your database:

The Import Inventory from Zip functionality is located in the Administration tab of inventories.

inventory_permissions_fix

-- Delete wrong permissions where inventory does not exist anymore
delete
from assigned_permission
where target not like '/%'
and target not in (select object_id from inventory);

-- Delete wrong CREATE_INVENTORY permissions
delete
from assigned_permission
where target not like '/%'
and operation_name = 'CREATE_INVENTORY';

-- Add ADMIN_INVENTORY permissions
insert into assigned_permission (assignee, operation_name, target)
select assignee, 'ADMIN_INVENTORY', target
from assigned_permission
where target not like '/%'
group by target, assignee;

-- Add DEPLOY_INVENTORY permissions
insert into assigned_permission (assignee, operation_name, target)
select assignee, 'DEPLOY_INVENTORY', target
from assigned_permission
where target not like '/%'
group by target, assignee;

-- Drop unique index
drop index UK_ap_operation_target_assignee on assigned_permission;

-- Fix wrong targets
update assigned_permission
set target = concat('/tenants/', substring_index(target, '-', 1), '/inventories/', target)
where target not like '/%';

-- Eliminate duplicates
delete
from assigned_permission
where id not in
(select max(id)
from assigned_permission
group by assignee, operation_name, target);

-- Re-create unique index
alter table assigned_permission add constraint UK_ap_operation_target_assignee unique (operation_name, target, assignee);

Changes

  • FIXED: The bug where incorrect permission settings were created if an inventory was imported as a .zip file. Because of this, you could not view, edit or use the inventory for deployments.

See Standard Patterns Release Notes.

Standard Patterns 4.5.8 LTS Release Notes - 2020-11-18

Release information

Build version: 4.5.8.1

How to install and use the plug-ins

To start using this library, see "Editing Project Pattern Libraries".

Changes

  • Fixed the issue with the broken status.sh, which happened when you used the Generic nevisProxy Instance Settings pattern to patch Connector elements.
  • Fixed an endless loop that occurred during the generation of authentication flows with back-references.
  • Fixed the validation of the property Apply only to sub-pathsin Application Protection patterns.
  • Fixed the issue with the deployment of files to multiple Virtual Hosts with aHTTP Error Handling pattern.
  • Added support to the keeping of headers in the HTTP Error Handling pattern.

Known issues

  • If you use older Frontend TLS Settings, Google Chrome may hang during logout.
  • The nevisProxy LuaFilter removes theContent-Length header when applied on responses.

nevisAdmin 4.5.7 LTS Release Notes - 2020-08-19

Release information

  • nevisAppliance: 2.201911.718-LTS
  • RPM: nevisadmin4-4.5.7.2-1.noarch.rpm
  • GUI Version: FE 4.5.0-70 - BE 4.5.7.2

Upgrade instructions and breaking changes

Consult "Software Upgrade" for general upgrade instructions.

Changes

  • Included Standard Patterns libraries updated from 4.5.6 to 4.5.7 version.
  • FIXED: We fixed the issue whereby Direct deployment fails in Preview step if the remote server has a file larger than 2GB which is managed by nevisAdmin 4.

See "Standard Patterns Release Notes", releases 4.5.6 to 4.5.7.

Standard Patterns 4.5.7 LTS Release Notes - 2020-08-19

Release information

Build version: 4.5.7.3

How to install and use the plug-ins

To start using this library, see "Editing Project Pattern Libraries".

Changes

  • We fixed the SAML SP Connector pattern to allow SP URL values without a path and with query parameters.
  • A bug was fixed in the HTTP Error Handling pattern. It led to empty files being generated when the pattern is used more than once on the same nevisProxy Instance.
  • We now support the use of nevisKeybox Store for theKey Store and Trust Store in nevisLogrend Instance patterns.
  • We fixed a missing servlet for nevisLogrend in web.xml when a realm was used on multiple Virtual Host patterns.

Known issues

  • If you use older Frontend TLS Settings, Google Chrome may hang during logout.
  • The nevisProxy LuaFilter removes theContent-Length header when applied on responses.

nevisAdmin 4.5.6 LTS Release Notes - 2020-05-20

Release information

  • nevisAppliance: 2.201911.582 LTS
  • RPM: nevisadmin4-4.5.6.165-1.noarch.rpm
  • GUI Version: FE 4.5.0-70 - BE 4.5.6.165

Upgrade instructions and breaking changes

See Software Upgrade for general upgrade instructions.

Changes

Included Standard Patterns libraries updated from 4.5.4 to 4.5.6 version.

See Standard Patterns Release Notes.

Standard Patterns 4.5.6 LTS Release Notes - 2020-05-20

Release information

Build version: 4.5.6.8

How to install and use the plug-ins

To start using this library, see Editing Project Pattern Libraries.

Changes

  • The Custom Dependencies property of the nevisAuth Instance pattern has been aligned with the content of the nevisAuth Developer Guide:

  • Filters that enforce a session upgrade are now mapped before filters that issue tokens for applications.

  • You can now use the Generic Application Settings pattern in combination with the Generic Authentication Service pattern.

  • You can now use the expressions ${service.name} and ${service.mapping} to configure the Remove Filter Mappings setting of the Generic Application Settingspattern.

  • Two ModSecurity rules have been whitelisted for the User Import page of the nevisIDM Administration GUI (pattern).

  • The nevisLogrend template used for a SAML logout in the SAML IDPpattern has been improved.

  • It is now ensured that InterceptionRedirect is set to "never" for the SecurityRoleFilter, when the same parameter is set for the IdentityCreationFilter.

  • The filter that implements Session Cookie Same Site Relaxation is now mapped to paths that are protected by the realm only (instead of to */**).

  • The SAML SP Realm pattern includes several changes:

    This is a protection against a limitation of the nevisProxy LuaFilter (see Known issues].

  • Fixed a potential security issue for SP-initiated SAML authentication. As a consequence, the SAML SP Connector pattern changed as follows:

    • If there is a warning in the pattern, remove the value for this property.
    • Use the URL that is sent by the SP in the received SAML AuthnRequest messages.

You may have to adapt the configuration of your SAML SP Connector patterns because of these changes.Fixed a bug in the validation of theAllowed HTTP Methodsparameter. As a result, the HTTP methodPATCH* is now allowed for applications.

  • Fixed a bug in the SAML redirect binding, by adding the query parameter Signature.
  • Fixed the bug where the Authorization Policy pattern blocked access to static resources and nevisLogRend when it was assigned to an application with path /.
  • Fixed a parsing bug in the SOAP Service pattern that occurred when uploading XSD files for the SOAP Schema Validationproperty/field.

Known issues

  • If you use older Frontend TLS Settings, Google Chrome may hang during logout.
  • The nevisProxy LuaFilter removes theContent-Length header when applied on responses.

Standard Patterns 4.5.5 LTS Release Notes - 2020-03-03

Release information

Build version: 4.5.5.1

How to install and use the plug-ins

To start using the plug-ins, see Editing Project Pattern Libraries in the nevisAdmin 4 User Guide.

Changes

  • The CSRF Protection Settings pattern now allows requests that use the HEAD method.
  • Fixed a syntax error in a generated Lua script.

nevisAdmin 4.5.4 LTS Release Notes - 2020-02-19

Release information

  • nevisAppliance: 2.201911.511
  • RPM: nevisadmin4-4.5.4.101-1.noarch.rpm
  • GUI Version: FE 4.5.0-70 - BE 4.5.4.101

Upgrade instructions and breaking changes

See Software Upgrade for general upgrade instructions.

Changes

Included Standard Patterns libraries updated from 4.5.0 to 4.5.4 version.

See Standard Patterns Release Notes.

Standard Patterns 4.5.4 LTS Release Notes - 2020-02-19

Release information

Build version: 4.5.4.140

How to install and use the plug-ins

To start using the plug-ins, see Editing Project Pattern Libraries in the nevisAdmin 4 User Guide.

Changes

  • Fixed a bug which prevented the use of Out-of-band Mobile Authentication as the first factor.
  • Fixed a bug in the REST Service pattern, which mapped the filter for JSON validation to a wrong path (/*).
  • The nevisFIDO Instance pattern now supports the usage of nevisKeybox Store patterns for key management.
  • Experimental support is now available for Artifact Binding in combination with the SAML Response Consumer pattern.

Standard Patterns 4.5.3 LTS Release Notes - 2020-01-30

Release information

Build version: 4.5.3.128128128

How to install and use the plug-ins

To start using the plug-ins, see Editing Project Pattern Libraries in the nevisAdmin 4 User Guide.

Changes

  • Several nevisIDM patterns have a new name:
  • It is now possible to configure the Same Site flag of nevisProxy session cookies. For this, use the Session Cookie Same Site attribute in the Realm patterns (such as the Authentication Realm pattern or the SAML SP Realm pattern). Set the attribute as follows:

The value "None" may become the new default in a future release.

  • Support for the assignment of a nevisIDM Connector pattern to the nevisFIDO Instance pattern is now available.
  • Added a filter for each path of a SAML SP Realm pattern to make it possible to return Access**-Control HTTP headers in request responses. This is needed to allow cross-origin resource sharing (CORS).
  • Improved the error message that appears when you upload a .zip file including files names that contain a space into the Login Template field. The Login Template field is part of the following patterns: SAML SP Realm, Authentication Realm, Generic Authentication Realm and Generic Authentication Service.
  • Fixed the bug where duplicate <servlet-mapping> elements were generated when using the Hosting Service pattern.
  • Fixed a bug in the restart command of the nevisLogrend Instance pattern that prevented the use of a non-root user for deployment.
  • Patterns and properties that are deprecated have been removed.

Known Limitations

  • The nevisKeybox Store pattern cannot be used for the truststores of the nevisFIDO Instance pattern.